Global Equity Strategy

[Pages:13]Global Equity Strategy

June 2019

Life's a Breach ? Investing in Cyber Security

Wietse Nijenhuis Head - Equity Strategy +1-212-559-0341 wietse.nijenhuis@

Steven Wieting Chief Investment Strategist

Matthew Jones Investment Analyst

As our lives shift online, securing sensitive data is essential not just for technology companies that monetize our data such as Facebook, but also for any business maintaining customer data, including governments. The number of data breaches in the US has doubled over the past 5 years, with the average breach costing $13m last year.

Mega breaches such as the one at Equifax in 2017, which led to a 35% share price drop and senior resignations (including the CEO) have elevated the importance of cyber security. The cost of a cyber security failure are visible in more than just the share price. There are potential legal and difficult to quantify reputational costs as well.

Greater regulatory scrutiny of mega cap technology companies in the US and the introduction of the General Data Protection Regulation (GPRD) in Europe are a reminder of the importance of keeping data safe. For companies operating in Europe, simply not reporting a data breach within 3 days can elicit a fine of 4% of global revenues.

It is therefore no surprise that spending on internet security is expected to grow at a compound annual growth rate over 9% between 2018 and 2022, by which time the market for internet security will reach $134bn according to IDC. Even if overall IT budgets shrink, companies are likely to prioritize security amid stricter compliance requirements and the ongoing shift to cloud. 5G rollout is another catalyst for increased internet security investment.

The ISE Cyber Security index, which tracks companies actively involved in providing cyber security technology and services, has outperformed global equities by 10% this year and by 33% over the past 2 years.

The proliferation of data is set to continue in today's increasingly digital world. This underpins cyber security spend as companies seek ways to secure data and protect networks. Cyber security fits within the digitization theme identified by Citi Private Bank as one of three unstoppable trends in our Outlook 2019 report.

Number of data breaches Price Index (rebased to 100)

1750

Data breaches growing in the US

1632

1500 1250

1090

1251

1000 750 500 250

781 779

656

662

614

446

498

421 471

321

157

0

Financial Government

Business Health

Education Total

Cyber security outperformance has accelerated in recent years

240

220

ISE Cyber Security Index

MSCI ACWI

200

180

160

140

120

100

80 2014

2015

2016

2017

2018

2019

Source: Identity Theft Resource Center as of June 18, 2019.

Source: Refinitiv as of June 18, 2019.

Indices are unmanaged. An investor cannot invest directly in an index. All forecasts are expressions of opinion and are subject to change without notice and are not intended to a guarantee of future events. Past performance is no guarantee of future returns. Real results may vary. For illustrative purposes only.

INVESTMENT PRODUCTS: NOT FDIC INSURED ? NOT CDIC INSURED ? NOT GOVERNMENT INSURED ? NO BANK GUARANTEE ? MAY LOSE VALUE

Cyber attacks and data fraud are 2 of the top 5 risks CEOs expect to face in 2019

Cyber security companies have outperformed strongly in recent years.

Today Every Company is a Data Company

Our lives are shifting online, whether it be sharing our personal data on networking sites, paying for goods and services, streaming content or maintaining our calendars and shopping lists in the cloud. Many of us have even sent our DNA off to companies to be analyzed and stored and paid for the privilege. All of this data, in many cases sensitive data, we voluntarily share with the expectation that it will remain private.

For many companies, data is the lifeblood of their business, using it to cater more closely to the needs of their customers. According to Accenture, fewer than one in four companies relied on the internet for their business operations 10 years ago, today that figure is 100% of businesses1. This shift to online brings great benefits, but also challenges. According to the World Economic Forum, cyber attacks and data fraud are two of the top five risks CEOs expect to face in 20192.

With data breaches surging in recent years, companies cannot blindly assume that consumers will continue to so willingly share their data. For a modern business to thrive, it is vital that it safeguards its two most valuable commodities; customer data and trust.

A Competitive Market Underpinned by the Unstoppable Proliferation of Data

Internet security companies have thrived over the past 5 years as cyber attacks have risen and more and more data is generated by new technologies and devices, most of which is stored or monetized. Companies already acutely aware of the need to invest in technology in today's rapidly evolving competitive environment need little incentive to apportion large parts of their budgets to internet security, following a rising number of data breaches costing ever more money and reputational damage.

An equal-weighted basket of companies with revenue streams linked to internet security have outperformed global equities meaningfully in recent years (chart below) while the ISE Cyber Security Index has more than doubled over the past 5 years.

Why invest in cyber security companies now? As the business cycle matures, it makes sense to question the outlook for this group of high growth companies which in many cases trade on expensive multiples. Such healthy skepticism makes perfect sense. Indeed, not all areas of internet security exhibit the same prospects and investors should carefully assess which companies are exposed to growth areas such as cloud security and next generation endpoint security, rather than slowing growth areas such as anti-virus and firewall software.

Equal-Weighted Basket* of Cyber Security Stocks vs. Global Equities 350

Total Return

300

MSCI AC World

250

Cyber Security Basket

200

+170%

150

100

50

'14

'15

'16

'17

'18

'19

Sources: Citi Private Bank and Bloomberg, as of June 2019. *The chart shows the performance of a basket of Cyber Security stocks on an equal weighted basis. The stocks included are Palo Alto Networks, Splunk, Check Point Software Technologies, Okta, Fortinet, Symantec, Zscaler, Proofpoint, Trend Micro, Aisino, Avast, Qualys, FireEye, Mimecast, Sophos Group, Rapid7, Varonis Systems, NextDC, Sailpoint Technologies, ForeScout Technologies, SecureWorks, NCC Group and Ahnlab. Indices are unmanaged. An investor cannot invest directly in an index. They are shown for illustrative purposes only and do not represent the performance of any specific investment. Past performance is no guarantee of future results, and future results may not meet our expectations due to a variety of economic, market and other factors. Real results may vary. For illustrative purposes only. This should not be construed as an offer of, or recommendation of companies discussed.

1 Securing the digital economy, Accenture 2 World Economic Forum Global Risks Report 2019, www3.docs/WEF_Global_Risks_Report_2019.pdf

Global Equity Strategy June 2019 2

Even if overall IT budgets shrink, boards are likely to prioritize security amid stricter regulations and the ongoing shift to cloud

Companies outsource their IT needs via cloud computing, a big growth area and a tailwind for internet security expenditure

With a large number of companies offering internet security solutions having sprung up in recent years, the market is becoming more saturated and an increasing amount of M&A is likely in the space, also from non-traditional internet security companies looking to gain exposure to the cyber security market.

Many of today's cyber security companies haven't yet weathered an economic downturn, which could potentially expose weaknesses in their business models. This makes careful selection important, but as is the case in any industry, the best companies will become stronger. After all, the proliferation of data is an unstoppable trend and even if overall IT budgets shrink, boards are likely to prioritise security amid stricter compliance requirements and the ongoing shift to cloud.

It's in the Cloud (What is the Cloud?)

A key driver of cyber security revenue growth is cloud computing. Most of us by now will have some knowledge of "the cloud", which we might think about as a place where we store our pictures and funny cat videos so not to utilize the memory on our smartphones, while making them accessible on multiple devices.

A business on the other hand, will likely view the cloud as a way to rent software and systems from companies that outsource computing services. The companies outsourcing these services are in many cases well-known tech giants such as Microsoft, Amazon and Google, which are investing heavily in data centers (where all the computing hardware is found).

Outsourcing your technology needs via cloud computing as opposed to buying hardware has numerous benefits for companies big and small. It gives a business far greater flexibility to scale its services up or down at short notice while systems can also be accessed from anywhere with an internet connection. This facilitates mobility and improves collaboration for businesses with offices in multiple locations. Companies also get fast access to new software while also having a greener footprint.

The shift to cloud computing that many companies have already undertaken has given birth to a number of sub-categories of cloud computing, such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). We won't go into details about what each of these mean, rather we want to point out that the cloud services market is expected to grow strongly in the coming years. Gartner forecasts the market to grow from $182.4bn in 2018 to $331.2bn in 2022.

$ Billions

Worldwide Public Cloud Service Revenue Forecast

350

300

250

200

$182bn

$214bn

$250bn

$289bn

$331bn

150

100

50

0 2018

2019f

Cloud Business Process Services

Cloud Application Services

Cloud System Infrastructure Services

2020f

2021f

2022f

Cloud Application Infrastructure Services

Cloud Management and Security Services

Source: Gartner as of April 2019. All forecasts are expressions of opinion and are subject to change without notice and are not intended to be a guarantee of future events.

Also according to Gartner research, by 2020 a corporate `no-cloud' policy will be as unusual as a `nointernet' policy is today. With so many companies incentivized/forced to operate their businesses in the cloud, the importance of adequately securing all this data is obvious.

Global Equity Strategy June 2019 3

Human error is one of the leading causes of data breaches

Types of Cyber Attacks

A cyber attack is a malicious and deliberate security breach of an individual or a company's information systems, usually for the purpose of stealing data or profiting in some other way. However, as cybercrime evolves, it is not just about stolen data, increasingly data is being destroyed or altered, often causing as much if not more disruption to businesses. When many people think of cyber attacks, they imagine a computer wiz dressed in all black sitting in a dark room somewhere filled with computer screens. While this stereotype works for the silver screen, the reality is somewhat different. Cyber attacks today come in many forms, whether it be malware, phishing or ransomware, to name a few. Willingly or not, a company's employees are often the weakest link as they either leave their information systems unprotected or are tricked into downloading compromising software via an email or link. Other employee related causes include failing to promptly update software or install patches. An effective internet security strategy should therefore encompass both software and ongoing employee education.

Distribution by root cause of data breach

Human Error 27%

Malicious or Criminal Attack

48%

System Glitch 25%

The costs of a data breach is growing, and could rise further as companies seek ever more granular customer data

Source: IBM as of December 2018

Actions that companies can take to mitigate cyber attacks and/or limit their impact include minimizing data collection to only essential data, training staff and preparing them for the eventuality of a data breach. Encryption can also be used to provide an additional layer of data protection. The costs of a breach typically rises with time, making a swift response critical. And of course, companies can invest in security software.

With the cost of data breaches rising year after year, cyber security investment will remain a priority for companies for decades to come.

Costs of Data Breach Measured in More than Just $

Not only are cyber attacks increasing, but so is their sophistication. Correspondingly, the time and money needed to resolve internet security breaches is also rising. According to Accenture, the average cost of cybercrime for each company in its study increased from $11.7m in 2017 to $13.0m in 20183. Broken down by contribution to this cost in 2018 was information loss ($5.9m), followed by business disruption ($4.0m), revenue loss ($2.6m) and equipment damage (0.5m).

Of course, the majority of data breaches are small and their impact is relatively limited. This could change as companies collect more granular data. In addition, tighter regulations, especially in Europe will lead to higher costs for companies which failed to adequately secure data.

Far more damaging are the mega breaches which periodically make headlines. The Equifax data breach in 2017 is a case in point. Although Equifax didn't report the breach until September 2017, it was between May and July 2017 that hackers gained access to sensitive customer information such as social security numbers of 143m Equifax customers.

3 Cost of Cyber Security, Accenture

Global Equity Strategy June 2019 4

Price rebased to 100 on 1 Jan 2017 Jan-17 Feb-17 Mar-17 Apr-17 May-17 Jun-17 Jul-17 Aug-17 Sep-17 Oct-17 Nov-17 Dec-17 Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18 Sep-18 Oct-18 Nov-18 Dec-18 Jan-19 Feb-19 Mar-19 Apr-19 May-19 Jun-19

Almost 2 years later Equifax's share price still hasn't regained it's prebreach level

140

Breach

announced 130

120

110

100

90

80

Sept 2017: CEO and

Equifax

other other senior

70

S&P 500

executives retire

60

Source: Refinitiv as of June 18, 2019.

Equifax recently revealed that dealing with the 2017 breach has cost the company $1.4bn plus legal fees so far, this includes incident response as well as new security systems4. While this is an extreme example, it does not include the less-easy to quantify reputational damage to the company, something which companies are very aware of in the age of social media when customer perception can quickly shift.

A survey of 1,000 Americans conducted by internet security firm Varonis Systems found that customers are much less likely to continue using businesses which have experienced a breach. In particular, trust erosion was the greatest among new industries such as social media and ridesharing companies compared with more traditional industries such as retail stores.

What company are you most likely to shop with after they've experienced a data breach?

All business are being targeted by cyber criminals, including governments

Retail Store

42%

Hotel

20%

Bank

17%

Social Site

14%

Rideshare Service

7%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Source: Varonis Systems as of 2019

Importantly, cybercrime is not limited to technology companies. The banking and utilities industries have the highest costs of cybercrime across Accenture's sample, seeing an 11% and 16% increase in costs between 2017 and 2018 respectively.

While the motivations behind banking being a target of cybercrime are clear since these institutions deal with money and personal information, the two things most cyber criminals are after, less obvious is why the utilities sector is a target. Even these companies need to invest heavily in internet security in order to ward off attacks from so-called `hacktivists' seeking to cause widespread power outages or other ways to undermine infrastructure systems.

4 Equifax's Data Breach Costs hit $1.4 Billion, Bank Info Security

Global Equity Strategy June 2019 5

Europe is leading the way on data privacy regulation, but lawmakers in the US are catching up

The average annual cost of cybercrime by industry ($mn)

Banking Utilities Software Autmotive Insurance High Tech Capital Markets Energy US Federal Consumer Goods

Health Retail Life Sciences Comms. and Media Travel Public Sector

0

4

Cost of Cybercrime in 2018

9.2 8.2 7.9

11.9 11.8 11.4 10.9

16.0 15.8 15.8 14.7 13.9 13.8 13.7

8

12

16

Cost of Cybercrime in 2017

18.4 17.8

20

Source: Accenture as of 2019

Regulations

As governments work to catch up with rapid technological developments, regulations will gradually increase making custodians of customer data increasingly accountable for protecting this information.

Europe is leading way with the introduction of the General Data Protection Regulations (GDPR) in May 2018. Described by some as the most important change in data privacy regulation in 20 years and by others as the most draconian regulation of our time. The broad scope of GDPR means that it applies to all organizations processing data belonging to EU citizens, regardless of whether or not the organization is EU domiciled.

Fines administered under GDPR can be meaningful; companies can be fined up to 4% of annual global turnover. Not only that, but Article 33 dictates that data breaches must be reported to supervisory authorities within 72 hours of the company becoming aware of the incident.

In the US data privacy regulation is also changing. A combination of federal and state-level legislation currently covers data privacy and security and requirements vary by state. For example, California and Vermont laws require companies to report breaches but also to make changes to their data processing practices. However, the idea of stricter federal data privacy legislation is gaining momentum. In July 2018, the White House said it was looking forward to working with Congress on "a consumer privacy protection policy that strikes an appropriate balance between privacy and prosperity."

The onus is already on companies to manage the risks around customer data, but with lawmakers behind the curve on data privacy, regulations are unlikely to be relaxed anytime soon.

Conclusion

Data is today's most valuable commodity, but unlike oil or other resources, it is not finite. In fact it is growing at an unfathomable rate. The digital and data super cycle in which we find ourselves is rapidly changing how consumers, governments and businesses operate.

As companies seek to collect and monetize ever more granular customer data, the importance of the systems protecting it will grow with it. One company's success relative to another could be determined by its data privacy record and standards. Megatrends such as the shift to cloud computing, 5G roll-out and government regulation underpin the cyber security space as a critical area of investment for governments, corporations and private citizens alike.

Cyber security fits within the digitization theme identified by Citi Private Bank as one of three unstoppable trends in our Outlook 2019 report.

Global Equity Strategy June 2019 6

Asset Allocation Definitions

Asset classes

Benchmarked against

Global equities Global bonds Hedge funds Commodities

Cash

MSCI All Country World Index, which represents 48 developed and emerging equity markets. Index components are weighted by market capitalization.

Bloomberg Barclays Capital Multiverse (Hedged) Index, which contains the government -related portion of the Multiverse Index, and accounts for approximately 14% of the larger index.

HFRX Global Hedge Fund Index, which is designed to be representative of the overall composition of the hedge fund universe. It comprises all eligible hedge fund strategies; including but not limited to convertible arbitrage, distressed securities, equity hedge, equity market neutral, event driven, macro, merger arbitrage and relative value arbitrage. The strategies are asset-weighted based on the distribution of assets in the hedge fund industry.

Dow Jones-UBS Commodity Index, which is composed of futures contracts on physical commodities traded on US exchanges, with the exception of aluminum, nickel and zinc, which trade on the London Metal Exchange (LME). The major commodity sectors are represented including energy, petroleum, precious metals, industrial metals, grains, livestock, softs, agriculture and ex-energy. The Thomson Reuters / Core Commodity Index is designed to provide timely and accurate representation of a long-only, broadly diversified investment in commodities through a transparent and disciplined calculation methodology.

Three-month LIBOR, which is the interest rates that banks charge each other in the international inter-bank market for three-month loans (usually denominated in Eurodollars).

Equities

Developed market large MSCI World Large Cap Index, which is free-float adjusted and weighted by market capitalization. The index is designed

cap

to measure the equity market performance of the large cap stocks in 23 developed markets. Large cap is defined as

stocks representing roughly 70% of each market's capitalization.

All Country Ex US

MSCI All Country ex US, which is free-float adjusted and weighted by market capitalization. The index is designed to measure the equity market performance of the large cap stocks in all countries excluding the US.

US ? S&P 500

Standard & Poor's 500 Index, which is a capitalization-weighted index that includes a representative sample of 500 leading companies in leading industries of the US economy. Although the S&P 500 focuses on the large cap segment of the market, with over 80% coverage of US equities, it is also an ideal proxy for the total market.

US ? S&P 600

The S&P SmallCap 600 measures the small-cap segment of the U.S. equity market. The index is designed to track companies that meet specific inclusion criteria to ensure that they are liquid and financially viable.

Europe ex UK

MSCI Europe ex UK Large Cap Index, which is free-float adjusted and weighted by market capitalization. The index is designed to measure large cap stock performance in each of Europe's developed markets, except for the UK

Eurozone

Euro Stoxx 50 is a stock index of large cap Eurozone stocks. Its aim is to measure the performance of 50 of the largest Eurozone domiciled stocks.

Emerging Markets

MSCI Emerging Markets Index, which is free-float adjusted and weighted by market capitalization. The index is designed to measure stock performance 24 Emerging Market countries.

UK

The Financial Times Stock Exchange 100 Index, also called the FTSE 100 Index, is a share index of the 100 companies

listed on the London Stock Exchange with the highest market capitalization.

Japan

Topix is a free-float adjusted market capitalization-weighted index that is calculated based on all the domestic common stocks listed on the Tokyo Stock Exchange. The Topix shows the measure of current market capitalization assuming that market capitalization as of the base date (January 4 ,1968) is 100 points.

Asia Pacific ex Japan

MSCI Asia Pacific ex Japan Large Cap Index, which is free-float adjusted and weighted by market capitalization. The index is designed to measure the performance of large cap stocks in Australia, Hong Kong, New Zealand and Singapore.

Developed market small MSCI World Small Cap Index, which is a capitalization-weighted index that measures small cap stock performance in 23

and mid-cap (SMID)

developed equity markets.

Emerging market

MSCI Emerging Markets Index, which is free-float adjusted and weighted by market capitalization. The index is designed to measure equity market performance of 22 emerging markets.

Bonds

Developed sovereign

Emerging sovereign

Supranationals Corporate investment grade

Citi World Government Bond Index (WGBI), which consists of the major global investment grade government bond markets and is composed of sovereign debt, denominated in the domestic currency. To join the WGBI, the market must satisfy size, credit and barriers-to-entry requirements. In order to ensure that the WGBI remains an investment grade benchmark, a minimum credit quality of BBB?/Baa3 by either S&P or Moody's is imposed. The index is rebalanced monthly.

Citi Emerging Market Sovereign Bond Index (ESBI), which includes Brady bonds and US dollar -denominated emerging market sovereign debt issued in the global, Yankee and Eurodollar markets, excluding loans. It is composed of debt in Africa, Asia, Europe and Latin America. We classify an emerging market as a sovereign with a maximum foreign debt rating of BBB+/Baa1 by S&P or Moody's. Defaulted issues are excluded.

Citi World Broad Investment Grade Index (WBIG)--Government Related, which is a subsector of the WBIG. The index includes fixed rate investment grade agency, supranational and regional government debt, denominated in the domestic currency. The index is rebalanced monthly.

Citi World Broad Investment Grade Index (WBIG)--Corporate, which is a subsector of the WBIG. The index includes fixed rate global investment grade corporate debt within the finance, industrial and utility sectors, denominated in the domestic currency. The index is rebalanced monthly.

Global Equity Strategy June 2019 7

Corporate high yield

Securitized

Bloomberg Barclays Global High Yield Corporate Index. Provides a broad-based measure of the global high yield fixed income markets. It is also a component of the Multiverse Index and the Global Aggregate Index.

Citi World Broad Investment Grade Index (WBIG)--Securitized, which is a subsector of the WBIG. The index includes global investment grade collateralized debt denominated in the domestic currency, including mortgage -backed securities, covered bonds (Pfandbriefe) and asset-backed securities. The index is rebalanced monthly.

Equity Valuation Terms

Price-to-Earnings (P/E) [Share Price / Earnings per Share], The price-earnings ratio indicates the dollar amount an investor can expect to invest in a company in order to receive one dollar of that company's earnings.

Earnings per Share (EPS)

[(Net Income ? Dividends on Preferred Stock) / Total Outstanding Shares], EPS is the portion of a company's profit allocated to each outstanding share of common stock.

Price-to-Book (P/B)

[Share Price / Book Value per Share], Compares a firm's market to reported book value of equity

Return on Equity (ROE) Dividend Yield

[Net Income / Shareholder's Equity], ROE is the amount of net income returned as a percentage of shareholders' equity. It is used to measure a corporation's profitability by revealing how much profit a company generates with money shareholders have invested.

[Dividends per Share / Price per Share], Indicates how much a company pays out in dividends relative to its share price

Cyclically-Adjusted Price-to-Earnings (CAPE)

A valuation measure that uses real earnings per share over a 10-year period to smooth out fluctuations in corporate profits that occur over different periods of a business cycle. Also known as the Shiller P/E ratio.

Other miscellaneous

definitions

Asset Backed Securities A security whose income payments and hence value are derived from and collateralized (or "backed") by a specified

(ABS)

pool of underlying assets such as consumer credit card debt or auto loans.

Commercial Mortgage Backed Securities (CMBS) High Yield Corporate Bonds (HY)

Investment Grade Corporate Bonds (IG)

Citi Economic Surprise Index (CESI)

Commercial mortgage-backed securities (CMBS) are a type of mortgage-backed security that is secured by mortgages on commercial properties, instead of residential real estate.

High yield corporate bonds are bonds with a credit rating less than BBB- (S&P) or Baa3 (Moody's), and are debt securities issued by a corporation and sold to investors. The backing for the bond is usually the payment ability of the company, which is typically money to be earned from future operations.

Investment grade corporate bonds are bonds with a credit rating equal to or above BBB- (S&P) or Baa3 (Moody's), and are debt securities issued by a corporation and sold to investors. The backing for the bond is usually the payment ability of the company, which is typically money to be earned from future operations. The Citi Economic Surprise Indices measure data surprises relative to market expectations. A positive reading means that data releases have been stronger than expected and a negative reading means that data releases have been worse than expected.

Global Equity Strategy June 2019 8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download